Sonatype Blog: Latest Posts

Now Available: SSL Connectivity to Central

UPDATE: Free SSL Connectivity to Central for All — Sonatype’s project to make SSL the default connectivity option for all Central users is underway and will be complete by August 12th, 2014 (if not sooner). For details, please visit: http://www.sonatype.com/clm/secure-access-to-central.

We know how components from the Central Repository have become critical to your development efforts. We also know that you need to trust those components. Part of that trust is knowing that hackers don’t have visibility into the components you download or that they compromise components using a man-in-the middle or Cross Build Injection (XBI) attack.

We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager. Given the tremendous growth of Central, and the fact that modern applications are largely built from OSS components, this capability is likely to be leveraged by many organizations. SSL has become the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

As of Nexus Pro 2.2 (available now), SSL is now the default connectivity option for Nexus Pro users. Because we take security of the ecosystem seriously, we aren’t stopping there, we’re making SSL connectivity to Central available to you even if you aren’t using Nexus Pro.

In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes. For the first 60 days all donations will go to the Apache Software Foundation. After that, the donations will go to other open source foundations such as Eclipse. Sonatype will provide a donation on behalf of Nexus Pro customers since we’ve included SSL access to all Pro customers automatically.

If you happen to be using Nexus OSS (any version), support for the SSL token is included already. I’ve already reached out to the Artifactory and Archiva teams and they are working on the changes necessary to enable SSL to Central – we’ll let you know when that support is enabled. If you’re not using a repository manager at all, what are you waiting for?

Post navigation

1. Could you please list the amounts donated and to whom? I’d like to know that the money actually goes where it is intended. And why can’t I choose which open source project to which to donate rather than giving it to you first to choose on my behalf?

2. If you “take security of the ecosystem seriously” why are you charging for security? Does exposing the entire java development community–save your customers–to a MITM attack really count as concern for the ecosystem? If so, what would demonstrate a lack of concern for the ecosystem? Perhaps actively MITM’ing all of us yourself instead of waiting for someone else to do it?

3. HTTPS is the right thing to do, period. You want to run maven central for the benefit of the community and market Sonatype, then do it right.

Brian Fox

Efforts to make this free for the community are already underway. Stay tuned for more details.